10 commits

Author	SHA1	Message	Date
Joey Orlando	fa071bcd6e	chore: add pytest-socket library + disable network calls in tests (#5315) ... # What this PR does Inspired by [this discussion](https://github.com/grafana/oncall/pull/5307#discussion_r1862449480). _tldr;_ ensures that if any of our tests try making an external network call, they will fail. Setup an example test: ```python def test_external_network_call(): import requests response = requests.get('https://www.example.com') assert response.status_code == 200 ``` and it worked (failed; [example CI test run](https://github.com/grafana/oncall/actions/runs/12106416991/job/33752144727?pr=5315#step:6:389)) as expected: ```bash __________________________ test_external_network_call __________________________ def test_external_network_call(): import requests > response = requests.get('https://www.example.com') requests = <module 'requests' from '/opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/__init__.py'> apps/test_joey.py:4: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/api.py:73: in get return request("get", url, params=params, **kwargs) kwargs = {} params = None url = 'https://www.example.com' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/api.py:59: in request return session.request(method=method, url=url, **kwargs) kwargs = {'params': None} method = 'get' session = <requests.sessions.Session object at 0x7f10ebaada90> url = 'https://www.example.com' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/sessions.py:589: in request resp = self.send(prep, **send_kwargs) allow_redirects = True auth = None cert = None cookies = None data = None files = None headers = None hooks = None json = None method = 'get' params = None prep = <PreparedRequest [GET]> proxies = {} req = <Request [GET]> self = <requests.sessions.Session object at 0x7f10ebaada90> send_kwargs = {'allow_redirects': True, 'cert': None, 'proxies': OrderedDict(), 'stream': False, ...} settings = {'cert': None, 'proxies': OrderedDict(), 'stream': False, 'verify': True} stream = None timeout = None url = 'https://www.example.com' verify = None /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/sessions.py:703: in send r = adapter.send(request, **kwargs) adapter = <requests.adapters.HTTPAdapter object at 0x7f10ebaada30> allow_redirects = True hooks = {'response': []} kwargs = {'cert': None, 'proxies': OrderedDict(), 'stream': False, 'timeout': None, ...} request = <PreparedRequest [GET]> self = <requests.sessions.Session object at 0x7f10ebaada90> start = 1733064371.649901 stream = False /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/adapters.py:667: in send resp = conn.urlopen( cert = None chunked = False conn = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> proxies = OrderedDict() request = <PreparedRequest [GET]> self = <requests.adapters.HTTPAdapter object at 0x7f10ebaada30> stream = False timeout = Timeout(connect=None, read=None, total=None) url = '/' verify = True /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connectionpool.py:715: in urlopen httplib_response = self._make_request( assert_same_host = False body = None body_pos = None chunked = False clean_exit = False conn = None destination_scheme = None err = None headers = {'User-Agent': 'python-requests/2.32.3', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'} http_tunnel_required = False is_new_proxy_conn = False method = 'GET' parsed_url = Url(scheme=None, auth=None, host=None, port=None, path='/', query=None, fragment=None) pool_timeout = None redirect = False release_conn = False release_this_conn = True response_kw = {'decode_content': False, 'preload_content': False} retries = Retry(total=0, connect=None, read=False, redirect=None, status=None) self = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> timeout = Timeout(connect=None, read=None, total=None) timeout_obj = Timeout(connect=None, read=None, total=None) url = '/' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connectionpool.py:404: in _make_request self._validate_conn(conn) chunked = False conn = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> httplib_request_kw = {'body': None, 'headers': {'User-Agent': 'python-requests/2.32.3', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}} method = 'GET' self = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> timeout = Timeout(connect=None, read=None, total=None) timeout_obj = Timeout(connect=None, read=None, total=None) url = '/' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connectionpool.py:1060: in _validate_conn conn.connect() __class__ = <class 'urllib3.connectionpool.HTTPSConnectionPool'> conn = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> self = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connection.py:363: in connect self.sock = conn = self._new_conn() self = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connection.py:174: in _new_conn conn = connection.create_connection( extra_kw = {'socket_options': [(6, 1, 1)]} self = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/util/connection.py:85: in create_connection sock.connect(sa) address = ('www.example.com', 443) af = <AddressFamily.AF_INET: 2> canonname = '' err = None family = <AddressFamily.AF_UNSPEC: 0> host = 'www.example.com' port = 443 proto = 6 res = (<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('93.184.215.14', 443)) sa = ('93.184.215.14', 443) sock = <socket.socket fd=12, family=2, type=1, proto=6, laddr=('0.0.0.0', 0)> socket_options = [(6, 1, 1)] socktype = <SocketKind.SOCK_STREAM: 1> source_address = None timeout = None _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ inst = <socket.socket fd=12, family=2, type=1, proto=6, laddr=('0.0.0.0', 0)> args = (('93.184.215.14', 443),), host = '93.184.215.14' def guarded_connect(inst, *args): host = host_from_connect_args(args) if host in allowed_ip_hosts_and_hostnames or ( _is_unix_socket(inst.family) and allow_unix_socket ): return _true_connect(inst, *args) > raise SocketConnectBlockedError(allowed_list, host) E pytest_socket.SocketConnectBlockedError: A test tried to use socket.socket.connect() with host "93.184.215.14" (allowed: "calendar.google.com (142.251.167.100,142.251.167.101,142.251.167.102,142.251.167.113,142.251.167.138,142.251.167.139,2607:f8b0:4004:c09::65,2607:f8b0:4004:c09::66,2607:f8b0:4004:c09::71,2607:f8b0:4004:c09::8b),localhost (127.0.0.1,::1),oncall-dev-mariadb ()"). allow_unix_socket = False allowed_ip_hosts_and_hostnames = {'127.0.0.1', '142.251.167.100', '142.251.167.101', '142.251.167.102', '142.251.167.113', '142.251.167.138', ...} allowed_list = ['calendar.google.com (142.251.167.100,142.251.167.101,142.251.167.102,142.251.167.113,142.251.167.138,142.251.167.139...8b0:4004:c09::66,2607:f8b0:4004:c09::71,2607:f8b0:4004:c09::8b)', 'localhost (127.0.0.1,::1)', 'oncall-dev-mariadb ()'] args = (('93.184.215.14', 443),) host = '93.184.215.14' inst = <socket.socket fd=12, family=2, type=1, proto=6, laddr=('0.0.0.0', 0)> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/pytest_socket.py:252: SocketConnectBlockedError ``` ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] Added the relevant release notes label (see labels prefixed w/ `release:`). These labels dictate how your PR will show up in the autogenerated release notes.	2024-12-02 10:53:18 -05:00
Matias Bordese	bb4875f8a5	feat: add service account checks in plugin auth (#5305) ... Related to https://github.com/grafana/oncall-private/issues/2826 Related to https://github.com/grafana/irm/pull/459 Allow org sync requests from service account users. Also trigger a sync during public API requests if the org wasn't yet setup.	2024-11-28 19:03:07 +00:00
Matias Bordese	2bcbac8454	Enable service account token auth for public API (#5254) ... Related to https://github.com/grafana/oncall-private/issues/2826 Continuing work started in https://github.com/grafana/oncall/pull/5211, this adds support for Grafana service accounts tokens for API authentication (except alert group actions which will still require a user behind). Next steps would be updating the go client and the terraform provider to allow service account token auth for OnCall resources. Following proposal 1.1 from [doc](https://docs.google.com/document/d/1I3nFbsUEkiNPphBXT-kWefIeramTY71qqZ1OA06Kmls/edit?usp=sharing).	2024-11-19 12:52:23 +00:00
Matias Bordese	dbba664a1f	Check for user.is_active during mobile app auth (#4990) ... Related to https://github.com/grafana/support-escalations/issues/12253	2024-09-06 12:25:23 +00:00
Matias Bordese	35f23cdcc6	Rework organization sync and grafana plugin engine backend (#4756) ... Related to https://github.com/grafana/oncall-private/issues/2806#issuecomment-2246286918. Prepare engine for the backend plugin enablement/migration: - Refactor sync code - Improve plugin user authentication to set up user on-the-fly (when missing) - Implement v2 endpoints for install, sync and status (to be used via the backend plugin) (most of the changes come from https://github.com/grafana/oncall/pull/4657; backport all engine changes that keep backwards compatibility)	2024-07-31 16:12:56 +00:00
Yulya Artyukhina	477062bb0c	Integration backsync token (#4056) ... # What this PR does Adds auth token for integrations backsync Related to https://github.com/grafana/oncall-private/issues/2542 ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] Added the relevant release notes label (see labels prefixed w/ `release:`). These labels dictate how your PR will show up in the autogenerated release notes.	2024-03-18 09:16:54 +00:00
Michael Derynck	e9f2178da1	Change service account auth to use instance id instead (#3435) ... # What this PR does Change GrafanaServiceAccountAuth to use instance ID header in cloud instead of slugs. ## Which issue(s) this PR fixes ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not required)	2023-11-28 15:56:29 +00:00
Michael Derynck	60ef4348f5	Allow OnCall API to use Grafana Service Accounts (#3189) ... # What this PR does Allows public OnCall API to use Grafana service accounts for authorization. In cloud requests using a Grafana service account token also needs to provide headers for `X-Grafana-Org-Slug` and `X-Grafana-Instance-Slug` This is **alpha** functionality, it may break or be removed in the future. Going to use this on one endpoint (resolution notes) before we consider the implications across all of public API. ## Which issue(s) this PR fixes ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not required)	2023-11-23 16:42:27 +00:00
Vadim Stepanov	c921674471	Improve plugin authentication (#1995) ... # What this PR does Handle different failing authentication scenarios (e.g. when token is invalid or instance context is not a valid JSON) so endpoints return appropriate response code (401 instead of 500). ## Which issue(s) this PR fixes Related to https://github.com/grafana/oncall-private/issues/1633 ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not required)	2023-05-23 16:13:25 +00:00
Michael Derynck	6b40f95033	World, meet OnCall! ... Co-authored-by: Eve832 <eve.meelan@grafana.com> Co-authored-by: Francisco Montes de Oca <nevermind89x@gmail.com> Co-authored-by: Ildar Iskhakov <ildar.iskhakov@grafana.com> Co-authored-by: Innokentii Konstantinov <innokenty.konstantinov@grafana.com> Co-authored-by: Julia <ferril.darkdiver@gmail.com> Co-authored-by: maskin25 <kengurek@gmail.com> Co-authored-by: Matias Bordese <mbordese@gmail.com> Co-authored-by: Matvey Kukuy <motakuk@gmail.com> Co-authored-by: Michael Derynck <michael.derynck@grafana.com> Co-authored-by: Richard Hartmann <richih@richih.org> Co-authored-by: Robby Milo <robbymilo@fastmail.com> Co-authored-by: Timur Olzhabayev <timur.olzhabayev@grafana.com> Co-authored-by: Vadim Stepanov <vadimkerr@gmail.com> Co-authored-by: Yulia Shanyrova <yulia.shanyrova@grafana.com>	2022-06-03 08:09:47 -06:00